On 11/28/10 5:29 PM, Marko Vojinovic wrote:
>
> I wouldn't know the typical ratio itself as a number, but I can tell you it is
> surely less than one. I had three identical systems compromised at the same
> time (one of the users had a weak password, and he used the same password on
> all three machines... you wouldn't believe...). Two systems had SELinux
> disabled, the third one had it enabled. For the first two, intruder managed to
> escalate to root and I had a busy weekend reinstalling those machines from
> scratch afterwards. For the third one, the intruder never managed to escalate
> to root, and this was clearly visible in SELinux and other system logs. I
> simply purged that user account and had everything working in no time.
But that means you were running software with vulnerabilities or a user would
not be able to become root anyway. Is that due to not being up to date (i.e.
would normal, non-SELinux measures have been enough), or was this before a fix
was available?
--
Les Mikesell
lesmikesell at gmail.com